The EU's General Data Protection Regulation 2016/679 or GDPR sets out the conditions under which employees’ personal data can be processed. In order to process personal data lawfully, at least one ground under GDPR must apply.

Who does the GDPR apply to? The GDPR applies to organizations that are established in the EU (regardless of whether the personal data that they process is of EU data subjects or not). The GDPR also applies to the processing of personal data by non-EU entities, where such processing is in the context of offering goods or services to data subjects in the EU or in the context of monitoring of the behavior of data subjects in the EU.

And what is personal data? It is defined very broadly in the GDPR as any information relating to an identified or identifiable natural person. In practice this means that data collections and reviews will nearly always involve the processing of personal data.

Some types of personal data attract greater protection, e.g. personal data revealing racial/ ethnic origin, political opinions, religious or philosophical beliefs, or health or sexual orientation. Because of the additional protections given to such data, it is advisable to minimize the amount of this type of data collected although in most cases it will be difficult to completely remove the possibility of collecting this type of data.

What are the grounds to lawfully process personal data? Unless it can be argued that processing is necessary to comply with a EU or EU Member State law (e.g. compelled requests where non-compliance would be an offense) the key grounds for processing personal data that are relevant to investigations tend to be: consent; or that the processing is required for the company’s legitimate interests, except where these interests are overridden by the interests or rights of the data subject.

Consent. Relying on employee consent to process is considerably more difficult under the GDPR. Consent will not be valid unless it is:

freely given (i.e. a product of an individual’s genuine free choice; not a product of an imbalance of power between the company and the individual, which is more difficult in an employment context; independent from any contract to perform; as easy to withdraw as it is to give)

specific and informed (given separately for each purpose; clearly distinguishable from other matters; independent of an employment contract), and

In any case, from a UK perspective, guidance from the Information Commissioner's Office states that due to the inherent imbalance of power in an employment relationship, an employer may not be deemed to have obtained free and valid consent. This is the position taken in other member states too. Also, the requirement to attain specific consent for each singular purpose of use is likely to impede seeking to rely on consent in a confidential investigation.

As a result, processing should be carried out under a different ground of the GDPR where possible.

Legitimate interest. Aside from consent, the legitimate interest condition is usually the most relevant condition when conducting investigations of employees. When seeking to rely on this condition, the company should perform and document a balancing assessment of the company’s interests in collecting, reviewing and/or disclosing the data against the employee’s interests in privacy.

This may include consideration of whether, for example: (i) there is a reasonable level of suspicion of misconduct based on specific, documented facts, (ii) the likely prejudice suffered by the individual arising from the processing, (iii) the processing is necessary to achieve the legitimate interests/there are no less intrusive investigative measures possible, and (iv) the review is reasonable based on the balancing the individual’s interests against the employer’s.

An important factor in undertaking the balancing test under the legitimate interests condition is to assess whether the data subject would reasonably expect the type of processing. This assessment should factor in what the individual has previously been informed of, whether there is scope to inform the individual of the processing prior to the collection, and what a person in the role of the subject might reasonably expect.

Where legitimate interest is the basis for processing data, the data subject will have a right to object to the processing of their data, but where there are ”compelling reasons” to override the individual’s objection a company can continue to process their data for those purposes. A company must in any event inform individuals of their right to object “at the point of first communication” in its privacy notice. For new employees, this will be when they join the company. For others, it may be when the company puts in place a new privacy notice or provides training. It is generally advisable for companies to document the legitimate interest balancing exercise that they have undertaken by way of a legitimate interest impact assessment.

The legitimate interest condition is necessity-based, which means that the condition may be relied upon only to the extent that the processing is necessary for the purpose of the company’s legitimate interests.

Legitimate interest cannot be relied on the collection and review of the more sensitive types of personal data referred to above, e.g. personal data revealing racial/ ethnic origin, political opinions, religious or philosophical beliefs, or health or sexual orientation. In these situations, one of the more restrictive legal grounds set out in the GDPR or member state law must be established (for example, that the processing of the more sensitive data is “necessary of the establishment, exercise or defense of legal claims”).

____

Other Ongoing Considerations:

Transparency. Organizations must inform their employees of how they will handle their personal data, including in the context of investigations in order to satisfy the transparency obligation under the GDPR. As mentioned above, the provision of this information is also key to supporting an argument that the legitimate interest ground can be relied on.

It is possible to avoid providing notice of the processing (which is a requirement under Article 13 of the GDPR) in certain circumstances, for example if the crime and taxation exemption applies under the Data Protection Act 2018, provided that providing the information about the collection of data would be likely to prejudice the prevention or detection of crime. In some cases, an employer will be willing to take the risk.

Is a Data Protection Impact Assessment required? An impact assessment is required if the is likely to result in a "high risk to the rights and freedoms of natural persons” (for example, if conducting ongoing surveillance of employee communications). If this is the case, the company will need to consider and document the nature and scope of the proposed investigation, the reasons for conducting the review, its assessment of the necessity and proportionality of the measures, the risks associated with the processing, and the impact on the employee’s privacy.

Continuing Assessment and Accountability. Any legitimate interests assessment or data protection impact assessment must be kept under review and updated as required throughout the investigation (at least when there is a change of the risk represented by processing operations). When processing data, an assessment must be made as to whether it is being processed in a manner that is compatible with the original purpose.

In general, no sensitive or private employee data, such as personal photos, medical appointments or private emails should be collected or reviewed. In light of these considerations, possible approaches include: (i) limiting the timeframe of the review, (ii) limiting who has access to the data, (iii) using focused search terms and/or technology assisted review to restrict what communications are reviewed, and (iv) ensuring that all custodians can be justified.

In order to comply with the principle of accountability, details of any data protection decisions made in relation to an investigation, such as the legitimate interest balancing test outcome or a decision taken about the application of an exemption to the transparency requirement, should be documented in case evidence needs to be produced.

Key Takeaways:

1. It is now much more difficult to rely on an employee’s consent as a grounds for processing.

2. If consent cannot be relied on, another ground for processing will need to be identified (usually the employer’s legitimate interest in reviewing the data).

3. Where reliance is placed on the legitimate interests ground, the balancing exercise (i.e. between the interests of employer and employee) should be carefully documented.

4. In some circumstances (e.g. employee surveillance) a documented impact assessment may be required.

5. Processing should be necessity-based (only when and to the extent necessary -- which should be re-evaluated throughout the investigation and re-documented as necessary).

6. Additional requirements may apply where personal data is being transferred from one jurisdiction to another as part of an investigation.

7. Steps should be taken to limit as far as possible the review of sensitive personal data.

____

Lara White, pictured above left, is a Partner in Norton Rose Fulbright LLP based in London. Her practice focuses on data privacy and she has extensive experience of advising on large-scale IT and business process outsourcing arrangements. She assists clients with privacy issues including: large scale GDPR compliance programs, cross-border privacy solutions, data subject rights, and data security incidents. She can be contacted here.

Andrew Reeves, above center, is a Senior Associate based in Norton Rose Fulbright’s London office. He represents corporations, financial institutions and ‎senior executives in relation to a range of major regulatory and criminal investigations, including those brought by the UK Serious Fraud Office, Financial Conduct Authority, and Information Commissioner’s Office, as well as U.S. and various local regulators and prosecutors. He can be contacted here.

Sarah Greenwood, above right, is an Associate based in Norton Rose Fulbright’s London office. Sarah has experience advising large cross-border regulatory investigations and has advised clients on a broad range of matters relating to money laundering, anti-bribery & corruption, human rights, economic sanctions, cybersecurity and data protection. She can be contacted here.

Reader Comments (1)

Great article. It made me wonder a few things:1) if data privacy policies cover such matter and also if investigation documented policy/procedure consider this as a principle;2) the assessment may not only be made in general (in the abovementioned policies / procedures, but also may need to be exercised during the investigation, as a proportionality test for investigative measures taken.